Disclosures FAQs

Under HIPAA, limited information may be shared with law enforcement in certain circumstances. The more common examples seen at UofL include:

When Required by Law, such as a law that requires reporting of certain types of wounds (e.g., gunshot wounds) or in response to a court order or subpoena.

For Identification and Location Purposes, for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. The covered entity may disclose only the following information:

  1. Name and address;
  2. Date and place of birth;
  3. Social Security numbers;
  4. ABO blood type and rh factor
  5. Type of injury
  6. Date and time of treatment;
  7. Date and time of death, if applicable; and ;
  8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.

For the purposes of identification or location, the covered entity may not disclose any PHI related to the individual's DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue.

There are other less frequent circumstances where disclosures to law enforcement are permitted. The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) provides additional information about this topic.

Court Order - A covered entity may disclose only the PHI expressly authorized by a court order.

Subpoena, Discovery Request, or Other Lawful Process -  A covered entity may disclose PHI In response to a subpoena, discovery request, or other lawful process if it receives satisfactory assurance in writing from the party seeking the information that the party has made a good faith attempt to provide written notice to the individual and that the notice:

  1. Included sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court, and
  2. The time for the individual to raise objections to the court has elapsed, and either no objections were filed or the objections have been resolved by the court. 
The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) provides additional information about this topic.

For the purpose of fundraising, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following PHI without an authorization:

  1. Demographic information, which includes name, address or other contact information, age, gender, insurance status,
  2. Date of Birth, and
  3. Dates of health care provided to an individual.

Any fundraising materials sent to an individual should include a clear and conspicuous description of how the individual may opt out of future fundraising communications. Covered entities must honor any opt outs received. The UofL Privacy Office HIPAA Policy Manual, PO-23 Fundraising, (log-in required) provides additional information about this topic. 

HIPAA regulates the PHI of decedents for 50 years after the date of death.  However, HIPAA permits the disclosure of decedent information in certain circumstances and with certain limitations.

Examples include:

  • Coroners and Medical Examiners - A covered entity may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
  • Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes - A covered entity may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) provides additional information about this topic. 

HIPAA permits the disclosure of PHI to Adult or Child Protective Services in some circumstances.

For Children - A covered entity may disclose PHI to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. This exception is one of the “Public Health Activities” provided by HIPAA.

For Adults - If a covered entity reasonably believes that an individual is a victim of abuse, neglect, or domestic violence, it may disclose PHI of the individual to a public health authority or other government authority authorized by law to receive reports of abuse, neglect, or domestic violence in accordance with the following:

  1. To the extent the disclosure is required by law and is limited to the relevant requirements of the law;
  2. If the individual agrees to the disclosure; or
  3. To the extent the disclosure is expressly authorized by statute or regulation and:
  • The covered entity believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
  • If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

If such a disclosure is made for adult abuse, neglect, or domestic violence scenarios, the covered entity has additional obligations for informing the individual of the reported disclosure. Please see The UofL Privacy Office HIPAA Policy Manual, PO-10.7 Uses & Disclosures of Protected Health Information - Uses and Disclosures Without Authorization, (log-in required) for additional information on the adult abuse, neglect, and domestic violence reporting requirements.

Generally, an individual’s right to control PHI depends upon that same individual’s right to control the health care decision. HIPAA defers to state law for matters regarding parents and minors, but does provide two exceptions which may be used to address this question:

Disclosures to Family, Friends, and Others Involved in the Care of an Individual - HIPAA permits the disclosure to a person(s) involved in the current health care of an individual (e.g., family, friends, and others) PHI that is directly related to the person’s involvement in the current health of the individual or the payment related to that health care. This provision is not only for parents and minors but may also be applied to adult patients and their caregivers.

This provision, for example, allows a physician or staff to share details that might be important to the current care of the individual, such as a diagnosis or prognosis, or specific instructions for monitoring health or symptoms of the individual.

Personal Representative - This exception provides a broader scope of access and rights to information than the provision for family, friends, and others. It allows for access to the individual’s record, including the receipt of a complete copy of the record.

This provision says if, under applicable (state) law, a parent, guardian or other person acting in loco parentis has the authority to act on behalf of an unemancipated minor (child) in making decision related to health care, a covered entity must treat such person as the personal representative of the individual. This generally means PHI can be disclosed to the personal representative in the same way as if the individual (e.g., child) were making the request for access to PHI.

It’s important to note that the discretion to deny or provide access to a parent under HIPAA may only be exercised by a licensed health care professional who is exercising his/her professional judgment.

The UofL Privacy Office HIPAA Policy Manual, PO-10 Uses & Disclosures of Protected Health Information, (log-in required) provides additional information on disclosures to family, friends, and others involved in the care of individuals.